Total
36919 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-3194 | 1 Wedevs | 1 Dokan | 2025-06-02 | N/A | 5.4 MEDIUM |
| The Dokan WordPress plugin before 3.6.4 allows vendors to inject arbitrary javascript in product reviews, which may allow them to run stored XSS attacks against other users like site administrators. | |||||
| CVE-2021-24433 | 1 Yukimichi | 1 Simple Sort\&search | 2025-06-02 | N/A | 5.4 MEDIUM |
| The simple sort&search WordPress plugin through 0.0.3 does not make sure that the indexurl parameter of the shortcodes "category_sims", "order_sims", "orderby_sims", "period_sims", and "tag_sims" use allowed URL protocols, which can lead to stored cross-site scripting by users with a role as low as Contributor | |||||
| CVE-2024-35753 | 1 Templatesnext | 1 Onepager | 2025-06-02 | N/A | 6.5 MEDIUM |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in TemplatesNext TemplatesNext OnePager allows Stored XSS.This issue affects TemplatesNext OnePager: from n/a through 1.3.3. | |||||
| CVE-2024-23659 | 1 Spip | 1 Spip | 2025-06-02 | N/A | 6.1 MEDIUM |
| SPIP before 4.1.14 and 4.2.x before 4.2.8 allows XSS via the name of an uploaded file. This is related to javascript/bigup.js and javascript/bigup.utils.js. | |||||
| CVE-2024-22877 | 1 Strangebee | 1 Thehive | 2025-06-02 | N/A | 5.4 MEDIUM |
| StrangeBee TheHive 5.2.0 to 5.2.8 is vulnerable to Cross Site Scripting (XSS) in the case reporting functionality. This feature allows an attacker to insert malicious JavaScript code inside the template or its variables, that will be executed in the context of the TheHive application when the HTML report is opened. | |||||
| CVE-2024-20270 | 1 Cisco | 2 Broadworks Application Delivery Platform, Broadworks Xtended Services Platform | 2025-06-02 | N/A | 4.8 MEDIUM |
| A vulnerability in the web-based management interface of Cisco BroadWorks Application Delivery Platform and Cisco BroadWorks Xtended Services Platform could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. | |||||
| CVE-2024-0381 | 1 Bootstrapped | 1 Wp Recipe Maker | 2025-06-02 | N/A | 6.4 MEDIUM |
| The WP Recipe Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the use of the 'tag' attribute in the wprm-recipe-name, wprm-recipe-date, and wprm-recipe-counter shortcodes in all versions up to, and including, 9.1.0. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-0238 | 1 Myeventon | 1 Eventon | 2025-06-02 | N/A | 6.1 MEDIUM |
| The EventON Premium WordPress plugin before 4.5.6, EventON WordPress plugin before 2.2.8 do not have authorisation in an AJAX action, and does not ensure that the post to be updated belong to the plugin, allowing unauthenticated users to update arbitrary post metadata. | |||||
| CVE-2023-7151 | 1 Piwebsolution | 1 Product Enquiry For Woocommerce | 2025-06-02 | N/A | 6.1 MEDIUM |
| The Product Enquiry for WooCommerce WordPress plugin before 3.2 does not sanitise and escape the page parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | |||||
| CVE-2023-6732 | 1 Supsystic | 1 Ultimate Maps | 2025-06-02 | N/A | 4.8 MEDIUM |
| The Ultimate Maps by Supsystic WordPress plugin before 1.2.16 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed | |||||
| CVE-2023-52069 | 1 Kodcloud | 1 Kodbox | 2025-06-02 | N/A | 5.4 MEDIUM |
| kodbox v1.49.04 was discovered to contain a cross-site scripting (XSS) vulnerability via the URL parameter. | |||||
| CVE-2023-49943 | 1 Zohocorp | 1 Manageengine Servicedesk Plus Msp | 2025-06-02 | N/A | 5.4 MEDIUM |
| Zoho ManageEngine ServiceDesk Plus MSP before 14504 allows stored XSS (by a low-privileged technician) via a task's name in a time sheet. | |||||
| CVE-2023-48858 | 1 Abocms | 1 Abo.cms | 2025-06-02 | N/A | 6.1 MEDIUM |
| A Cross-site scripting (XSS) vulnerability in login page php code in Armex ABO.CMS 5.9 allows remote attackers to inject arbitrary web script or HTML via the login.php? URL part. | |||||
| CVE-2023-46952 | 1 Abocms | 1 Abo.cms | 2025-06-02 | N/A | 6.1 MEDIUM |
| Cross Site Scripting vulnerability in ABO.CMS v.5.9.3 allows an attacker to execute arbitrary code via a crafted payload to the Referer header. | |||||
| CVE-2023-0769 | 1 Hiweb | 1 Migration Simple | 2025-06-02 | N/A | 6.1 MEDIUM |
| The hiWeb Migration Simple WordPress plugin through 2.0.0.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high-privilege users such as admins. | |||||
| CVE-2023-0376 | 1 Themeum | 1 Qubely | 2025-06-02 | N/A | 5.4 MEDIUM |
| The Qubely WordPress plugin before 1.8.5 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | |||||
| CVE-2024-28070 | 1 Mitel | 1 Micontact Center Business | 2025-06-02 | N/A | 6.8 MEDIUM |
| A vulnerability in the legacy chat component of Mitel MiContact Center Business through 10.0.0.4 could allow an unauthenticated attacker to conduct a reflected cross-site scripting (XSS) attack due to insufficient input validation. A successful exploit could allow an attacker to access sensitive information and gain unauthorized access. | |||||
| CVE-2024-26468 | 1 Jstrieb | 1 Url Pages | 2025-06-02 | N/A | 6.1 MEDIUM |
| A DOM based cross-site scripting (XSS) vulnerability in the component index.html of jstrieb/urlpages before commit 035b647 allows attackers to execute arbitrary Javascript via sending a crafted URL. | |||||
| CVE-2024-26467 | 1 Tabatkins | 1 Railroad-diagram Generator | 2025-06-02 | N/A | 6.1 MEDIUM |
| A DOM based cross-site scripting (XSS) vulnerability in the component generator.html of tabatkins/railroad-diagrams before commit ea9a123 allows attackers to execute arbitrary Javascript via sending a crafted URL. | |||||
| CVE-2025-1647 | 2025-06-01 | N/A | 5.6 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Bootstrap allows Cross-Site Scripting (XSS).This issue affects Bootstrap: from 3.4.1 before 4.0.0. | |||||